<simpleType name="listOfURIs">\r
<list itemType="anyURI"/>\r
</simpleType>\r
+\r
+ <simpleType name="bindingBoolean">\r
+ <restriction base="string">\r
+ <enumeration value="true"/>\r
+ <enumeration value="false"/>\r
+ <enumeration value="front"/>\r
+ <enumeration value="back"/>\r
+ </restriction>\r
+ </simpleType>\r
\r
<complexType name="PluggableType">\r
<sequence>\r
<attribute name="authType" type="conf:string"/>\r
<attribute name="authUsername" type="conf:string"/>\r
<attribute name="authPassword" type="conf:string"/>\r
- <attribute name="signRequests" type="boolean"/>\r
- <attribute name="signResponses" type="boolean"/>\r
+ <attribute name="signRequests" type="bindingBoolean"/>\r
+ <attribute name="signResponses" type="bindingBoolean"/>\r
<attribute name="signatureAlg" type="anyURI"/>\r
<attribute name="digestAlg" type="anyURI"/>\r
- <attribute name="encryptRequests" type="boolean"/>\r
- <attribute name="encryptResponses" type="boolean"/>\r
+ <attribute name="encryptRequests" type="bindingBoolean"/>\r
+ <attribute name="encryptResponses" type="bindingBoolean"/>\r
<attribute name="encryptionAlg" type="anyURI"/>\r
<attribute name="keyName" type="conf:string"/>\r
<attribute name="artifactEndpointIndex" type="unsignedShort"/>\r
)=0;
/**
+ * Locates an existing session or sessions by subject identifier.
+ *
+ * @param issuer source of session(s)
+ * @param nameid name identifier associated with the session(s) to locate
+ * @param index index of session, or NULL for all sessions associated with other parameters
+ * @param application reference to Application that owns the session(s)
+ * @param sessions on exit, contains the IDs of the matching sessions
+ */
+ virtual void find(
+ const opensaml::saml2md::EntityDescriptor& issuer,
+ const opensaml::saml2::NameID& nameid,
+ const char* index,
+ const Application& application,
+ std::vector<std::string>& sessions
+ )=0;
+
+ /**
* Deletes an existing session or sessions.
*
* @param issuer source of session(s)
{
// Check for message signing requirements.
m_relyingParty = m_app.getRelyingParty(dynamic_cast<const EntityDescriptor*>(peer.getRole().getParent()));
- pair<bool,bool> flag = m_relyingParty->getBool("signRequests");
- if (flag.first && flag.second) {
+ pair<bool,const char*> flag = m_relyingParty->getString("signRequests");
+ if (flag.first && (!strcmp(flag.second, "true") || !strcmp(flag.second, "back"))) {
m_credResolver=m_app.getCredentialResolver();
if (m_credResolver) {
m_credResolver->lock();
{
string address(appId);
address += getString("Location").second;
- address += "::run::ACS";
setAddress(address.c_str());
#ifndef SHIBSP_LITE
if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
const EntityDescriptor* entity =
policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
const PropertySet* relyingParty = application.getRelyingParty(entity);
- pair<bool,bool> flag = relyingParty->getBool("signResponses");
- if (flag.first && flag.second && policy.getIssuerMetadata()) {
+ pair<bool,const char*> flag = relyingParty->getBool("signResponses");
+ if (policy.getIssuerMetadata() && flag.first && (!strcmp(flag.second, "true") || !strcmp(flag.second, "back"))) {
CredentialResolver* credResolver=application.getCredentialResolver();
if (credResolver) {
Locker credLocker(credResolver);
pair<bool,const XMLCh*> outgoing = getXMLString("outgoingBindings");
if (outgoing.first) {
m_outgoing = XMLString::replicate(outgoing.second);
+ XMLString::trim(m_outgoing);
}
else {
// No override, so we'll install a default binding precedence.
string prec = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN + ' ' + samlconstants::SAML20_BINDING_HTTP_ARTIFACT;
m_outgoing = XMLString::transcode(prec.c_str());
- XMLString::trim(m_outgoing);
}
int pos;
// Check for signing.
const PropertySet* relyingParty = app.getRelyingParty(entity);
- pair<bool,bool> flag = relyingParty->getBool("signRequests");
- if ((flag.first && flag.second) || role->WantAuthnRequestsSigned()) {
+ pair<bool,const char*> flag = relyingParty->getString("signRequests");
+ if (role->WantAuthnRequestsSigned() || (flag.first && (!strcmp(flag.second, "true") || !strcmp(flag.second, "front")))) {
CredentialResolver* credResolver=app.getCredentialResolver();
if (credResolver) {
Locker credLocker(credResolver);
);\r
Session* find(const char* key, const Application& application, const char* client_addr=NULL, time_t* timeout=NULL);\r
void remove(const char* key, const Application& application);\r
+ void find(\r
+ const saml2md::EntityDescriptor& issuer,\r
+ const saml2::NameID& nameid,\r
+ const char* index,\r
+ const Application& application,\r
+ vector<string>& sessions\r
+ ) {\r
+ byname(issuer, nameid, index, application, sessions, false);\r
+ }\r
void remove(\r
const saml2md::EntityDescriptor& issuer,\r
const saml2::NameID& nameid,\r
const char* index,\r
const Application& application,\r
vector<string>& sessions\r
- );\r
+ ) {\r
+ byname(issuer, nameid, index, application, sessions, true);\r
+ }\r
\r
Category& m_log;\r
StorageService* m_storage;\r
private:\r
// maintain back-mappings of NameID/SessionIndex -> session key\r
void insert(const char* key, time_t expires, const char* name, const char* index);\r
+ void byname(\r
+ const saml2md::EntityDescriptor& issuer,\r
+ const saml2::NameID& nameid,\r
+ const char* index,\r
+ const Application& application,\r
+ vector<string>& sessions,\r
+ bool logout\r
+ );\r
\r
bool stronglyMatches(const XMLCh* idp, const XMLCh* sp, const saml2::NameID& n1, const saml2::NameID& n2) const;\r
};\r
xlog->log.info("Destroyed session (applicationId: %s) (ID: %s)", application.getId(), key);\r
}\r
\r
-void SSCache::remove(\r
+void SSCache::byname(\r
const saml2md::EntityDescriptor& issuer,\r
const saml2::NameID& nameid,\r
const char* index,\r
const Application& application,\r
- vector<string>& sessionsKilled\r
+ vector<string>& sessionsKilled,\r
+ bool logout\r
)\r
{\r
#ifdef _DEBUG\r
auto_ptr_char entityID(issuer.getEntityID());\r
auto_ptr_char name(nameid.getName());\r
\r
- m_log.info("request to logout sessions from (%s) for (%s) for session index (%s)", entityID.get(), name.get(), index ? index : "all");\r
+ m_log.info(\r
+ "request to %s sessions from (%s) for (%s) for session index (%s)",\r
+ logout ? "logout" : "locate", entityID.get(), name.get(), index ? index : "all"\r
+ );\r
\r
if (strlen(name.get()) > 255)\r
const_cast<char*>(name.get())[255] = 0;\r
if (session->getEntityID() && !strcmp(session->getEntityID(), entityID.get())) {\r
// Same NameID?\r
if (stronglyMatches(issuer.getEntityID(), application.getXMLString("entityID").second, nameid, *session->getNameID())) {\r
- remove(key.string(), application); // let this throw to detect errors in case logout failed\r
+ if (logout) {\r
+ remove(key.string(), application); // let this throw to detect errors in case the full logout fails?\r
+ key.destroy();\r
+ }\r
sessionsKilled.push_back(key.string());\r
- key.destroy();\r
}\r
else {\r
m_log.debug("session (%s) contained a non-matching NameID, leaving it alone", key.string());\r
if (obj.isnull()) {\r
m_storage->deleteText("Logout", name.get());\r
}\r
- else {\r
+ else if (!sessionsKilled.empty()) {\r
ostringstream out;\r
out << obj;\r
if (m_storage->updateText("Logout", name.get(), out.str().c_str(), 0, ver) <= 0)\r